Emerging ransomware gang extorts 10 targets in less than a month

Target Industry

Agricultural, education, healthcare, IT and manufacturing industry sectors.

Overview

A ransomware gang, being tracked as ‘Dark Power’, has emerged as a significant threat throughout the previous one-month period in which at least 10 organisations have been targeted. Thus far, the threat actor group has targeted victims in Algeria, the Czech Republic, Egypt, France, Israel, Peru, Turkey and the US, spanning the agriculture, education, healthcare, IT and manufacturing sectors.

The standard operating procedure of Dark Power is similar to that of other ransomware groups, with the exception of two key features:

– The speed and lack of tactical considerations
– The use of the ‘Nim’ programming language.

Dark Power attacks follow the typical ransomware cyber kill chain model:

1. Social-engineering victims via phishing emails
2. Downloading and encrypting files
3. Demanding the ransom
4. Extorting victims multiple times regardless of whether they pay the ransom.

The ransomware itself does not upload any files, leading to the assumption that the data exfiltration is conducted manually, and prior to the deployment of the ransomware. Moreover, strong encryption algorithms are used by the Dark Power ransomware to encrypt the victim’s data, ensuring that it is almost impossible for the data to be recovered without the decryption key.

Impact

Successful exploitation by the Dark Power ransomware group will result in the encryption and exfiltration of significant quantities of data held on compromised devices or systems, prior to a ransom of a predetermined amount being demanded. Encrypted data may include private customer information, corporate finance information, and system credentials that, if released, could provide threat actors with further targeting opportunities.

Vulnerability Detection

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against ransomware threats such as Dark Power. EDRs can alert system users of potential breaches and prevent further progress prior to the malware being able to implement significant damage.

Affected Products

No specific products have been identified as being targeted by Dark Power.

Containment, Mitigations & Remediations

It is recommended that employees receive training on how to detect markers of phishing emails. A main initial ingress mechanism utilised by Dark Power, as well as other ransomware groups, is the distribution of phishing emails with malicious attachments. Whilst user awareness, through the application of regular phishing training, would assist in reducing the likelihood of successful exploitation, in-house training will not be able to prevent attacks led by threat actors with stolen credentials obtained via stealware. Additional technical controls should also be explored. These controls could encompass the implementation of the multi-factor authentication (MFA) requirement for all users, conditional access policies and web proxies filtering on low or non-reputation domains.

A primary method of reducing the threat of Dark Power ransomware is to detect it in the early stages through the use of an effective and monitored EDR solution. An effective EDR tool such as the Microsoft Defender suite will block ransomware attempts once detected.

Organisations can also perform routine back-ups of sensitive data (with stored offline copies) that is required to operate business procedures. Therefore, if a breach occurs and the business can no longer function, a back-up is ready to resort to, and the business can continue to operate with minimal disruption. However, this does not nullify the fact that customer and employee data may have also been lost, and potentially released at will by the Dark Power threat actors if demands are not met.

Indicators of Compromise

Dark Power associated file hashes (SHA-256):

– 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389
– 11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394

Dark Power Detection Signatures

– Trojan.GenericKD.65499855
– Trojan.GenericKD.65428966
– Ransomware.Win64.Crypren.FEC3
– Malware.Binary.exe

Threat Landscape

Ransomware continues to be one of the prominent threats facing all industry sectors. Recent attacks have been reported to have occurred against global government organisations, indicating that the threat is growing as criminal groups are becoming comfortable demanding ever-increasing ransom values. As mentioned above, initial Dark Power attack efforts have targeted specific industry sectors. However, there is insufficient evidence at this early stage to suggest any motivations regarding this scope of targeting.

Within the cyber threat landscape, a trend is emerging of threat actors extending their arsenal to include alternative programming languages. The result is that even though they are applying a consistent set of tactics, techniques and procedures (TTPs), the associated malware will evade detection. Malware creators, such as Dark Power, use Nim due to its ease of use and its cross-platform capabilities. Such a procedure also requires cyber defenders to continuously update their knowledge of programming languages, the required resources of which outweigh that which is required for a threat actor to learn the language.

Threat Group

The Dark Power ransomware group operates on the basis of a double extortion technique. Not only does the group encrypt the private data of the victim and demand a ransom for the keys, but they also threaten the victim with the publishing of their data on their own dark webpage. This is likely designed to increase pressure on the victim and increase the likelihood of the desired payment. Despite the group’s recent emergence, it is highly likely that they are composed of sophisticated cybercriminals who have experience with ransomware extortion tactics, due to the application of the double extortion technique, as well as their relatively quick rise to notoriety.

Mitre Methodologies

Tactic:

TA0002 – Execution

Execution Techniques:

T1059 – Command and Scripting Interpreter
T1047 – Windows Management Instrumentation

Tactic:

TA0005 – Defense Evasion

Defense Evasion Techniques:

T1027 – Obfuscated Files or Information
T1140 – Deobfuscate/Decode Files or Information
T1070.001 – Indicator Removal: Clear Windows Event Logs

Tactic:

TA0007 – Discovery

Discovery Techniques:

T1082 – System Information Discovery
T1057 – Process Discovery

Tactic:

TA0040 – Impact

Impact Techniques:

T1486 – Data Encrypted for Impact
T1490 – Inhibit System Recovery
T1489– Service Stop

Further Information

Trellix Report
Dark Reading Article